sftp chroot - Red Hat 5.3

SOLVED

I am running Red Hat 5.3 and had a request to setup a user for sftp, and I want to lock the login id to the home directory, just as I am doing for normal ftp using vsftpd...

I added the line: ftpleaps /home/ftpleaps
to the /etc/security/chroot.conf file.
Added the line:
session required pam_chroot.so debug
to the /etc/pam.d/sshd file.

And created the user, ftpleaps that will be using sftp...

Using this ID I can sftp into teh server just fine, but I am still able to change to different directories, I'm not locked into just the home directory...

Any ideas as to what I may be missing ??

10 REPLIES 10

Check this page:

http://www.minstrel.org.uk/papers/sftp/builtin/

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

And also:

http://v2.robbyt.com/2008/howto/chrooted-sftp-with-openssh-5/

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

I tested with this installation guide:

http://www.dotnux.com/?p=3

And the sshd_configuration in previous links. It works correctly.

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

I got down to installing the rpm's genersated and they it failed:

[root@mfl-rhel5 i386]# ls -al
total 1004
drwxr-xr-x 2 root root 4096 Aug 20 08:39 .
drwxr-xr-x 9 root root 4096 Mar 17 15:20 ..
-rw-r--r-- 1 root root 272536 Aug 20 08:39 openssh-5.2p1-1.i386.rpm
-rw-r--r-- 1 root root 431979 Aug 20 08:39 openssh-clients-5.2p1-1.i386.rpm
-rw-r--r-- 1 root root 16708 Aug 20 08:39 openssh-debuginfo-5.2p1-1.i386.rpm
-rw-r--r-- 1 root root 269427 Aug 20 08:39 openssh-server-5.2p1-1.i386.rpm
[root@mfl-rhel5 i386]# rpm -Uvh openssh*rpm
error: Failed dependencies:
openssh = 4.3p2-29.el5 is needed by (installed) openssh-askpass-4.3p2-29.el5.i386
[root@mfl-rhel5 i386]# rpm -qa |grep -i openssh
openssh-clients-4.3p2-29.el5
openssh-4.3p2-29.el5
openssh-askpass-4.3p2-29.el5
openssh-server-4.3p2-29.el5
[root@mfl-rhel5 i386]#

Remove all openssh* packages currently installed, it cannot be upgraded because askpass is not in the packages generated.

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

That got this version installed ok...

Is there a document for the rest of the setup for sftp chroot for this version of openssh ?

Just follow the instructions in:

http://v2.robbyt.com/2008/howto/chrooted-sftp-with-openssh-5/

Starting with the section "edit sshd_config"

The sections "configure pam_mkhomedir" and below are optionsl

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

Have it all installed, but when I try to do an sftp with an ID that is in sftponly group they get disconnected:

sftp ftpleaps@crulsbx1
ftpleaps@crulsbx1's password:
Connection to crulsbx1 closed by remote host.
Connection closed

I can do an sftp with another ID not in sftponly group and works fine, except that the ID isn't locked to the directory..

Ivan

never mind, I had an problem, I forgot to change the home directory to be owned by root:root instead of the user.... after that able to get in just fine..